Application Testing

Comprehensive application security assurance service throughout the software development life cycle (SDLC)

Objective, independent and pragmatic security advice

Application Testing Issues

Software applications are the reason for using complex computer systems. They are the means of harnessing the power of the hardware, to provide value through functionality. Applications are the access points to your information assets.

Unfortunately, owing to their complexity and the inevitable business pressures during development, applications are more often than not the weak points in an organisation’s security. Organisations are understandably focused on ensuring that business functional requirements are delivered by the development teams; time-to-market can be critical for application development. In this environment, it is all too easy to overlook critical flaws in design, code implementation, or underlying vulnerabilities in the commercial components that are an integral part of the application or the environment in which it operates.

Attackers are only too aware of the potential weakness in applications, and application level attacks are still one of the major sources of unauthorised access to, or misuse of, systems today. By their very nature, they bypass traditional defences, and are extremely difficult to detect.

There is therefore always a delicate balance to be struck between functional requirements, business needs, and security risk. Commissum is able to provide comprehensive application security assurance services, that include design assurance consultancy throughout the development lifecycle, development audit, critical phase review, code review, and specialist security application testing.

Approach

Ideally, a client will engage the services of Commissum’s security assurance specialists at the earliest phases of a project. It is significantly more cost-effective to design with best-practice security in mind from the start. However, the knowledge and skills of the Commissumteam can be applied at all stages, particularly as independent security testers as part of system proving.

The approach taken to any assignment can be either “Black Box” (limited prior knowledge) or “White Box” (full application knowledge), although ideally a combination of both approaches is used for greatest effect.

Depending on the agreed scope, the following elements may be included in testing:

Test functions exposed to users or other applications

Monitor network traffic for transmission of information of benefit to an attacker

Test for a wide range of typical vulnerabilities including the OWASP top ten

Test for resilience to inappropriate data input

Review systems software for known security flaws and common coding errors

Check infrastructure implementation for secure operation

Test that application not prone to “fail open”

Check the protection of sensitive information and administrative functions

Code review through use of automated tools or manual checking or a combination of both

Code assisted testing

Application Testing Customer Benefits

Commissum provides:

A concentrated pool of security-focused resource to advise on best practice security implementation

Objective, independent, current security knowledge of a wide range of commercial software and applications

Comprehensive testing of bespoke applications by drawing on concentrated security knowledge to devise tailored threat scenarios: thinking like an attacker is different from thinking like a user

Advice on best practice measures and corrective action required to improve security deployment and integrity

Independent expert assurance that applications and processes are able to resist a range of attacks

Confidence that the system will not make headlines as a hacker’s, criminal’s or terrorist’s latest victim

Commissum is able to recommend hardened configurations for system components that enable required functionality, while disabling unneeded features and improving integrity and resistance to attack.